This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

The US-CERT Cyber Security Bulletin provides a summary of new and updated vulnerabilities, exploits, trends, and malicious code that have recently been openly reported. Information in the Cyber Security Bulletin is a compilation of open source and US-CERT vulnerability information. As such, the Cyber Security Bulletin includes information published by sources outside of US-CERT and should not be considered the result of US-CERT analysis or as an official report of US-CERT. Although this information does reflect open source reports, it is not an official description and should be used for informational purposes only. The intention of the Cyber Security Bulletin is to serve as a comprehensive directory of pertinent vulnerability reports, providing brief summaries and additional sources for further investigation.

Vulnerabilities

The tables below summarize vulnerabilities that have been reported by various open source organizations or presented in newsgroups and on web sites. Items in bold designate updates that have been made to past entries. Entries are grouped by the operating system on which the reported software operates, and vulnerabilities which affect both Windows and Unix/ Linux Operating Systems are included in the Multiple Operating Systems table. Note, entries in each table are not necessarily vulnerabilities in that operating system, but vulnerabilities in software which operate on some version of that operating system.

Entries may contain additional US-CERT sponsored information, including Common Vulnerabilities and Exposures (CVE) numbers, National Vulnerability Database (NVD) links, Common Vulnerability Scoring System (CVSS) values, Open Vulnerability and Assessment Language (OVAL) definitions, or links to US-CERT Vulnerability Notes. Metrics, values, and information included in the Cyber Security Bulletin which has been provided by other US-CERT sponsored programs, is prepared, managed, and contributed by those respective programs. CVSS values are managed and provided by the US-CERT/ NIST National Vulnerability Database. Links are also provided to patches and workarounds that have been provided by the product’s vendor.

The Risk levels are defined below:

High - Vulnerabilities will be labeled “High” severity if they have a CVSS base score of 7.0-10.0.

Medium - Vulnerabilities will be labeled “Medium” severity if they have a base CVSS score of 4.0-6.9.

Low - Vulnerabilities will be labeled “Low” severity if they have a CVSS base score of 0.0-3.9.

Note that scores provided prior to 11/9/2005 are approximated from only partially available CVSS metric data. Such scores are marked as "Approximated" within NVD. In particular, the following CVSS metrics are only partially available for these vulnerabilities and NVD assumes certain values based on an approximation algorithm: AccessComplexity, Authentication, ConfImpact of 'partial', IntegImpact of 'partial', AvailImpact of 'partial', and the impact biases.

Windows Operating Systems Only

Vendor & Software Name

Description

Common Name

CVSS

Resources

ASPPortal 3.1.1

A vulnerability has been reported in ASPPortal that could let remote malicious users perform SQL injection.

Secunia, Advisory: SA19296, March 20, 2006

Multiple vulnerabilities have been reported: a vulnerability was reported in JavaScript because in certain circumstances because it is possible to bypass the same-origin policy; a buffer overflow vulnerability was reported in Mail due to a boundary error, which could let a remote malicious user execute arbitrary code; and a vulnerability was reported in Safari/LaunchServices due to an error which could lead to the execution of a malicious file.

A buffer overflow vulnerability has been reported in 'request.c' due to an error in the 'SetUp()' function when handling the 'setup' command, which could let a remote malicious user cause a Denial of Service and potentially execute arbitrary code.

A buffer overflow vulnerability has been reported due to insufficient bounds checks on user-supplied data before using in a finite sized buffer, which could let a local/remote malicious user execute arbitrary code.

Multiple vulnerabilities have been reported in the libcgi-session-perl package due to the insecure creation of temporary files, which could let a remote/local malicious user overwrite files or obtain sensitive information.

A vulnerability has been reported due to a flaw in its creation of IVs (Initialization Vectors) for ciphers with a blocksize larger than 8 when the RandonIV-style header is used, which could let a remote malicious user bypass security restrictions.

A buffer overflow vulnerability has been reported when handling boundary headers within email messages, which could let a remote malicious user execute arbitrary code. Note: According to Security Tracker this is a Linux/Unix vulnerability. Previously classified as multiple operating systems.

Several vulnerabilities have been reported: a buffer overflow vulnerability was reported in the 'do_replace()' function in Netfilter, which could let a remote malicious user execute arbitrary code; and a buffer overflow vulnerability was reported in 'drivers/usb/gadget/mdis.c' when handling a NDIS response to 'OID_GEN_SUPPORTED
_LIST,' which could lead to the corruption of kernel memory.

A vulnerability has been reported due to an error when checking a user's privileges because the address of the 'geteuid()' function is tested and not the result of the function, which could let a malicious user bypass security restrictions.

A buffer overflow vulnerability has been reported in 'parse.c' due to a boundary error in the 'parse' function when creating an archive from a file with an overly long pathname, which could let a malicious user execute arbitrary code.

A vulnerability has been reported because the default policy is set to trust all unknown capabilities instead of considering them as insecure, which could potentially let a malicious user bypass security restrictions.

SQL injection vulnerabilities have been reported in 'viewEvent.cfm' due to insufficient sanitization of the 'EventID' parameter, in 'news/newsView.cfm' due to insufficient sanitization of the 'NewsID' parameter, and in 'mainCal.cfm' due to insufficient sanitization of the 'ThisDate' parameter, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

Vulnerability can be exploited using a web client; however, a Proof of Concept exploit has been published.

1WebCalendar SQL Injection

Not Available

Secunia Advisory: SA19329, March 22, 2006

Adobe

Flash Player 8.0.22.0 and prior, Breeze Meeting Add-In 5.1 and prior, Shockwave Player 10.1.0.11 and prior, Flash Debug Player 7.0.14.0 and prior

A vulnerability has been reported in Flash Player that could let remote malicious users execute arbitrary code.

Several vulnerabilities have been reported: a vulnerability was reported due to an error in the restriction of an unspecified internal servlet, which could let a remote malicious user with HTTP access obtain sensitive information; and a remote Denial of Service vulnerability was reported due to an error in the XML parser.

A Cross-Site Scripting vulnerability has been reported in 'index.php' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

Vulnerability can be exploited through use of a web client; however, a Proof of Concept exploit has been published.

A buffer overflow vulnerability has been reported when parsing a URL that contains the TPTP protocol prefix 'tfpt://' due to a boundary error, which could let a remote malicious user cause a Denial of Service and possibly execute arbitrary code.

Multiple vulnerabilities have been reported: a vulnerability was reported when using 'menu.module' to create a menu item, which could let a remote malicious user bypass security restrictions; a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of unspecified input before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; a vulnerability was reported when handling sessions during login due to an error, which could let a remote malicious user hijack another user's session; and a vulnerability was reported due to insufficient sanitization of unspecified input before using in mail headers, which could let a remote malicious user inject arbitrary headers in outgoing mails.

Cross-Site Scripting vulnerabilities have been reported in 'calendar.php' due to insufficient sanitization of the 'month,' 'year,' 'prev,' and 'next' parameters before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

This issue is reportedly addressed in ExtCalendar 2.0.

Vulnerabilities can be exploited through a web client; however, Proof of Concept exploits have been published.

A Cross-Site Scripting vulnerability has been reported in 'my.support.php3' due to insufficient sanitization of the 's' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

Vulnerability can be exploited through use of a web client; however, a Proof of Concept exploit has been published.

Multiple vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in 'inc/setLang.php' due to insufficient sanitization of the 'lang' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; a vulnerability was reported in 'inc/setLang.php' due to insufficient sanitization of the 'lang' parameter before using in an 'include_once()' call, which could let a remote malicious user obtain sensitive information; and an SQL injection vulnerability was reported in 'admin/loginfunction.php' due to insufficient sanitization of the 'username' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

Proof of Concept exploits and an exploit script, gCards-multiple-vulnerabilities.php, have been published.

Two script insertion vulnerabilities have been reported in 'zones.php' due to insufficient sanitization of the 'Name' and 'Description' fields when editing zones, which could let a remote malicious user execute arbitrary HTML and script code.

A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of unspecified input passed via the PM before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

SQL injection vulnerabilities have been reported in 'events.php' due to insufficient sanitization of the 'date' parameter and in 'menu.php' due to insufficient sanitization of the 'month' and 'year' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

SQL injection vulnerabilities have been reported in 'admin/index.php' due to insufficient sanitization of the 'email' and 'pass' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

SQL injection vulnerabilities have been reported in 'print.php' due to insufficient sanitization of the 'entry' parameter and in 'mail.php' due to insufficient sanitization of the 'email' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

Multiple input validation vulnerabilities have been reported: an SQL injection vulnerability was reported in 'auth.php' and 'logout.php' due to insufficient sanitization of the 'username' parameter and in 'chgpwd.php' due to insufficient sanitization of the 'USERNAME' and 'PASSWORD' cookie parameters, which could let a remote malicious user execute arbitrary SQL code; an SQL injection vulnerability was reported in 'admin/authuser.php' and 'admin/userstatistics.php' due to insufficient sanitization of the 'username,' 'password,' and 'filter' parameters, the 'teamname" parameter in 'admin/authgroup.php, and the 'date' and 'id' parameters in 'admin/traffic.php' before using in an SQL queries, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site Scripting vulnerability was reported in 'admin/userstatistics.php' due to insufficient sanitization of the 'username' parameter and in 'authuser.php' due to insufficient sanitization of 'ipAddress' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

Vulnerabilities can be exploited through use of a web client; however, a Proof of Concept script, Milkeyway-0.1.1.txt, has been published.

Several vulnerabilities have been reported: an input validation vulnerability was reported due to insufficient sanitization of the remote Bluetooth device name before using in a security dialog, which could let a remote malicious user trick users into accepting certain security dialogs; and a remote Denial of Service vulnerability has been reported when an overly long OBEX 'setpath()' is submitted via the OBEX File Transfer service if the attacker's device has been paired.

Vulnerability has reportedly been fixed by the vendor.

A Proof of Concept exploit has been published for the dialog spoofing vulnerability.

A Cross-Site Scripting vulnerability has been reported in 'member.php' due to insufficient sanitization of the 'url' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

Several vulnerabilities have been reported because 'NILE.NLM' allows clients to establish SSL connections that use no encryption or weak ciphers, which could let a malicious user bypass security restrictions.

A Cross-Site Scripting vulnerability has been reported in 'Status_Image.PHP' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

Vulnerability can be exploited using a web client; however, a Proof of Concept exploit has been published.

PHP Live! Cross-Site Scripting

Not Available

Security Focus, Bugtraq ID: 17184, March 22, 2006

OSWiki

OSWiki prior to 0.3.1

A vulnerability has been reported due to insufficient sanitization of the username before displaying, which could let a remote malicious user execute arbitrary HTML and script code.

An SQL injection vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'oxynews_comment_id' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

Vulnerability can be exploited with a web browser; however, a Proof of Concept exploit has been published.

Several vulnerabilities have been reported: a file include vulnerability was reported in the 'phpicalendar' cookie due to insufficient verification of the 'cookie_language' and 'cookie_style' parameters, which could let a remote malicious user include arbitrary files; and a file upload vulnerability was reported due to insufficient access controls to the calendar upload directory, which could let a remote malicious user execute arbitrary PHP code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proof of Concept exploit scripts, php_ical_2.2.1_
local_file_include.php and php-iCalendar-221.upload.php, have been published.

Cross-Site Scripting vulnerabilities have been reported in 'index.php' due to insufficient sanitization of user -supplied input, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proof of Concept exploits have been published.

A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of the 'set_theme' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

Vulnerability can be exploited with a web browser; however, a Proof of Concept exploit has been published.

SQL injection vulnerabilities have been reported in 'article.php' and 'friend.php' due to insufficient sanitization of the 'sid' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

Vulnerabilities can be exploited through a web client; however, Proof of Concept exploits have been published.

An SQL injection vulnerability has been reported in 'count.php' due to insufficient sanitization of the 'count_fieldname,' 'url_fieldname,' and 'url' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

A Cross-Site Scripting vulnerability has been reported in 'guestbook.php' due to insufficient sanitization of the 'url' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

An SQL injection vulnerability has been reported in 'reg.php' due to insufficient sanitization of the 'mail' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

Vulnerability can be exploited through a web client; however, a Proof of Concept exploit script, softbb_poc.py, has been published.

A Cross-Site Scripting vulnerability has been reported in the Research Module due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.

A Cross-Site Scripting vulnerability has been reported in 'haydn.exe' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

Vulnerability can be exploited with a web browser; however, a Proof of Concept exploit has been published.

A Cross-Site Scripting vulnerability has been reported in 'Class_DB_MySQL.PHP' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

Vulnerability can be exploited using a web client; however, a Proof of Concept exploit has been published.

Mobiles help knowledge workers most: According to a report from the Centre for Economic and Business Research (CEBR), mobile phones increased the productivity of workers by nearly one percent in 2004. According to the report, mobile phones enabled staff to save about 20 minutes per day. However, the research also found that benefits were largely concentrated in the hands of two million mobile knowledge workers. These tend to be professionals who make heavy use of mobiles to keep in touch with customers and colleagues while traveling.

FaceTime identifies new IM botnet threat: A new threat has been identified by research experts at FaceTime Security Labs(TM) that affects instant messaging (IM) applications. Acting on an anonymous tip, they uncovered two "botnet" networks that collectively represent up to 150,000 compromised computers. One is used as a vehicle to fraudulently scan desktop and back-end systems to obtain credit card numbers, bank accounts, and personal information including log-ins and passwords.

Crimeware, Trojan redirector targeting more than 100 banks: Websense® Security Labs™ has received reports of a Trojan Horse that is targeting users of more than 100 financial institutions in the United States and Europe. The malicious code checks to see if there is an active window open (either "my computer" or Internet Explorer). If one of these applications is not open, the malicious code modifies the contents of the hosts file on the local machine with a list of sites all pointing to localhost (127.0.0.1). If either of these applications is open, the malicious code performs a DNS lookup to a DNS server hosted in Russia and receives an address for a website.

Viruses/Trojans

Top Ten Virus Threats

A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.

Rank

Common Name

Type of Code

Trend

Date

Description

1

Netsky-P

Win32 Worm

Stable

March 2004

A mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folder.

2

Zafi-B

Win32 Worm

Stable

June 2004

A mass-mailing worm that spreads via e-mail using several different languages, including English, Hungarian and Russian. When executed, the worm makes two copies of itself in the %System% directory with randomly generated file names.

3

Lovgate.w

Win32 Worm

Stable

April 2004

A mass-mailing worm that propagates via by using MAPI as a reply to messages, by using an internal SMTP, by dropping copies of itself on network shares, and through peer-to-peer networks. Attempts to access all machines in the local area network.

4

Mytob-GH

Win32 Worm

Stable

November 2005

A variant of the mass-mailing worm that disables security related programs and allows other to access the infected system. This version sends itself to email addresses harvested from the system, forging the sender’s address.

5

Netsky-D

Win32 Worm

Stable

March 2004

A simplified variant of the Netsky mass-mailing worm in that it does not contain many of the text strings that were present in NetSky.C and it does not copy itself to shared folders. Netsky.D spreads itself in e-mails as an executable attachment only.

6

Mytob-AS

Win32 Worm

Stable

June 2005

A slight variant of the mass-mailing worm that disables security related programs and processes, redirection various sites, and changing registry values. This version downloads code from the net and utilizes its own email engine.

7

Sober-Z

Win32 Worm

Stable

December 2005

This worm travels as an email attachment, forging the senders address, harvesting addresses from infected machines, and using its own mail engine. It further download code from the internet, installs into the registry, and reduces overall system security.

8

Mytob.C

Win32 Worm

Stable

March 2004

A mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the Windows LSASS (MS04-011) exploit. The worm will attempt to harvest email addresses from the local hard disk by scanning files.

9

Zafi-D

Win32 Worm

Stable

December 2004

A mass-mailing worm that sends itself to email addresses gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door on the compromised computer.

10

Mytob-BE

Win32 Worm

Stable

June 2005

A slight variant of the mass-mailing worm that utilizes an IRC backdoor, LSASS vulnerability, and email to propagate. Harvesting addresses from the Windows address book, disabling antivirus, and modifying data.

The US-CERT Cyber Security Bulletin provides a summary of new and updated vulnerabilities, exploits, trends, and malicious code that have recently been openly reported. Information in the Cyber Security Bulletin is a compilation of open source and US-CERT vulnerability information. As such, the Cyber Security Bulletin includes information published by sources outside of US-CERT and should not be considered the result of US-CERT analysis or as an official report of US-CERT. Although this information does reflect open source reports, it is not an official description and should be used for informational purposes only. The intention of the Cyber Security Bulletin is to serve as a comprehensive directory of pertinent vulnerability reports, providing brief summaries and additional sources for further investigation.

Vulnerabilities

The tables below summarize vulnerabilities that have been reported by various open source organizations or presented in newsgroups and on web sites. Items in bold designate updates that have been made to past entries. Entries are grouped by the operating system on which the reported software operates, and vulnerabilities which affect both Windows and Unix/ Linux Operating Systems are included in the Multiple Operating Systems table. Note, entries in each table are not necessarily vulnerabilities in that operating system, but vulnerabilities in software which operate on some version of that operating system.

Entries may contain additional US-CERT sponsored information, including Common Vulnerabilities and Exposures (CVE) numbers, National Vulnerability Database (NVD) links, Common Vulnerability Scoring System (CVSS) values, Open Vulnerability and Assessment Language (OVAL) definitions, or links to US-CERT Vulnerability Notes. Metrics, values, and information included in the Cyber Security Bulletin which has been provided by other US-CERT sponsored programs, is prepared, managed, and contributed by those respective programs. CVSS values are managed and provided by the US-CERT/ NIST National Vulnerability Database. Links are also provided to patches and workarounds that have been provided by the product’s vendor.

The Risk levels are defined below:

High - Vulnerabilities will be labeled “High” severity if they have a CVSS base score of 7.0-10.0.

Medium - Vulnerabilities will be labeled “Medium” severity if they have a base CVSS score of 4.0-6.9.

Low - Vulnerabilities will be labeled “Low” severity if they have a CVSS base score of 0.0-3.9.

Note that scores provided prior to 11/9/2005 are approximated from only partially available CVSS metric data. Such scores are marked as "Approximated" within NVD. In particular, the following CVSS metrics are only partially available for these vulnerabilities and NVD assumes certain values based on an approximation algorithm: AccessComplexity, Authentication, ConfImpact of 'partial', IntegImpact of 'partial', AvailImpact of 'partial', and the impact biases.

Windows Operating Systems Only

Vendor & Software Name

Description

Common Name

CVSS

Resources

ASPPortal 3.1.1

A vulnerability has been reported in ASPPortal that could let remote malicious users perform SQL injection.

Secunia, Advisory: SA19296, March 20, 2006

Multiple vulnerabilities have been reported: a vulnerability was reported in JavaScript because in certain circumstances because it is possible to bypass the same-origin policy; a buffer overflow vulnerability was reported in Mail due to a boundary error, which could let a remote malicious user execute arbitrary code; and a vulnerability was reported in Safari/LaunchServices due to an error which could lead to the execution of a malicious file.

A buffer overflow vulnerability has been reported in 'request.c' due to an error in the 'SetUp()' function when handling the 'setup' command, which could let a remote malicious user cause a Denial of Service and potentially execute arbitrary code.

A buffer overflow vulnerability has been reported due to insufficient bounds checks on user-supplied data before using in a finite sized buffer, which could let a local/remote malicious user execute arbitrary code.

Multiple vulnerabilities have been reported in the libcgi-session-perl package due to the insecure creation of temporary files, which could let a remote/local malicious user overwrite files or obtain sensitive information.

A vulnerability has been reported due to a flaw in its creation of IVs (Initialization Vectors) for ciphers with a blocksize larger than 8 when the RandonIV-style header is used, which could let a remote malicious user bypass security restrictions.

A buffer overflow vulnerability has been reported when handling boundary headers within email messages, which could let a remote malicious user execute arbitrary code. Note: According to Security Tracker this is a Linux/Unix vulnerability. Previously classified as multiple operating systems.

Several vulnerabilities have been reported: a buffer overflow vulnerability was reported in the 'do_replace()' function in Netfilter, which could let a remote malicious user execute arbitrary code; and a buffer overflow vulnerability was reported in 'drivers/usb/gadget/mdis.c' when handling a NDIS response to 'OID_GEN_SUPPORTED
_LIST,' which could lead to the corruption of kernel memory.

A vulnerability has been reported due to an error when checking a user's privileges because the address of the 'geteuid()' function is tested and not the result of the function, which could let a malicious user bypass security restrictions.

A buffer overflow vulnerability has been reported in 'parse.c' due to a boundary error in the 'parse' function when creating an archive from a file with an overly long pathname, which could let a malicious user execute arbitrary code.

A vulnerability has been reported because the default policy is set to trust all unknown capabilities instead of considering them as insecure, which could potentially let a malicious user bypass security restrictions.

SQL injection vulnerabilities have been reported in 'viewEvent.cfm' due to insufficient sanitization of the 'EventID' parameter, in 'news/newsView.cfm' due to insufficient sanitization of the 'NewsID' parameter, and in 'mainCal.cfm' due to insufficient sanitization of the 'ThisDate' parameter, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

Vulnerability can be exploited using a web client; however, a Proof of Concept exploit has been published.

1WebCalendar SQL Injection

Not Available

Secunia Advisory: SA19329, March 22, 2006

Adobe

Flash Player 8.0.22.0 and prior, Breeze Meeting Add-In 5.1 and prior, Shockwave Player 10.1.0.11 and prior, Flash Debug Player 7.0.14.0 and prior

A vulnerability has been reported in Flash Player that could let remote malicious users execute arbitrary code.

Several vulnerabilities have been reported: a vulnerability was reported due to an error in the restriction of an unspecified internal servlet, which could let a remote malicious user with HTTP access obtain sensitive information; and a remote Denial of Service vulnerability was reported due to an error in the XML parser.

A Cross-Site Scripting vulnerability has been reported in 'index.php' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

Vulnerability can be exploited through use of a web client; however, a Proof of Concept exploit has been published.

A buffer overflow vulnerability has been reported when parsing a URL that contains the TPTP protocol prefix 'tfpt://' due to a boundary error, which could let a remote malicious user cause a Denial of Service and possibly execute arbitrary code.

Multiple vulnerabilities have been reported: a vulnerability was reported when using 'menu.module' to create a menu item, which could let a remote malicious user bypass security restrictions; a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of unspecified input before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; a vulnerability was reported when handling sessions during login due to an error, which could let a remote malicious user hijack another user's session; and a vulnerability was reported due to insufficient sanitization of unspecified input before using in mail headers, which could let a remote malicious user inject arbitrary headers in outgoing mails.

Cross-Site Scripting vulnerabilities have been reported in 'calendar.php' due to insufficient sanitization of the 'month,' 'year,' 'prev,' and 'next' parameters before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

This issue is reportedly addressed in ExtCalendar 2.0.

Vulnerabilities can be exploited through a web client; however, Proof of Concept exploits have been published.

A Cross-Site Scripting vulnerability has been reported in 'my.support.php3' due to insufficient sanitization of the 's' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

Vulnerability can be exploited through use of a web client; however, a Proof of Concept exploit has been published.

Multiple vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in 'inc/setLang.php' due to insufficient sanitization of the 'lang' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; a vulnerability was reported in 'inc/setLang.php' due to insufficient sanitization of the 'lang' parameter before using in an 'include_once()' call, which could let a remote malicious user obtain sensitive information; and an SQL injection vulnerability was reported in 'admin/loginfunction.php' due to insufficient sanitization of the 'username' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

Proof of Concept exploits and an exploit script, gCards-multiple-vulnerabilities.php, have been published.

Two script insertion vulnerabilities have been reported in 'zones.php' due to insufficient sanitization of the 'Name' and 'Description' fields when editing zones, which could let a remote malicious user execute arbitrary HTML and script code.

A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of unspecified input passed via the PM before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

SQL injection vulnerabilities have been reported in 'events.php' due to insufficient sanitization of the 'date' parameter and in 'menu.php' due to insufficient sanitization of the 'month' and 'year' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

SQL injection vulnerabilities have been reported in 'admin/index.php' due to insufficient sanitization of the 'email' and 'pass' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

SQL injection vulnerabilities have been reported in 'print.php' due to insufficient sanitization of the 'entry' parameter and in 'mail.php' due to insufficient sanitization of the 'email' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

Multiple input validation vulnerabilities have been reported: an SQL injection vulnerability was reported in 'auth.php' and 'logout.php' due to insufficient sanitization of the 'username' parameter and in 'chgpwd.php' due to insufficient sanitization of the 'USERNAME' and 'PASSWORD' cookie parameters, which could let a remote malicious user execute arbitrary SQL code; an SQL injection vulnerability was reported in 'admin/authuser.php' and 'admin/userstatistics.php' due to insufficient sanitization of the 'username,' 'password,' and 'filter' parameters, the 'teamname" parameter in 'admin/authgroup.php, and the 'date' and 'id' parameters in 'admin/traffic.php' before using in an SQL queries, which could let a remote malicious user execute arbitrary SQL code; and a Cross-Site Scripting vulnerability was reported in 'admin/userstatistics.php' due to insufficient sanitization of the 'username' parameter and in 'authuser.php' due to insufficient sanitization of 'ipAddress' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

Vulnerabilities can be exploited through use of a web client; however, a Proof of Concept script, Milkeyway-0.1.1.txt, has been published.

Several vulnerabilities have been reported: an input validation vulnerability was reported due to insufficient sanitization of the remote Bluetooth device name before using in a security dialog, which could let a remote malicious user trick users into accepting certain security dialogs; and a remote Denial of Service vulnerability has been reported when an overly long OBEX 'setpath()' is submitted via the OBEX File Transfer service if the attacker's device has been paired.

Vulnerability has reportedly been fixed by the vendor.

A Proof of Concept exploit has been published for the dialog spoofing vulnerability.

A Cross-Site Scripting vulnerability has been reported in 'member.php' due to insufficient sanitization of the 'url' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

Several vulnerabilities have been reported because 'NILE.NLM' allows clients to establish SSL connections that use no encryption or weak ciphers, which could let a malicious user bypass security restrictions.

A Cross-Site Scripting vulnerability has been reported in 'Status_Image.PHP' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

Vulnerability can be exploited using a web client; however, a Proof of Concept exploit has been published.

PHP Live! Cross-Site Scripting

Not Available

Security Focus, Bugtraq ID: 17184, March 22, 2006

OSWiki

OSWiki prior to 0.3.1

A vulnerability has been reported due to insufficient sanitization of the username before displaying, which could let a remote malicious user execute arbitrary HTML and script code.

An SQL injection vulnerability has been reported in 'index.php' due to insufficient sanitization of the 'oxynews_comment_id' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

Vulnerability can be exploited with a web browser; however, a Proof of Concept exploit has been published.

Several vulnerabilities have been reported: a file include vulnerability was reported in the 'phpicalendar' cookie due to insufficient verification of the 'cookie_language' and 'cookie_style' parameters, which could let a remote malicious user include arbitrary files; and a file upload vulnerability was reported due to insufficient access controls to the calendar upload directory, which could let a remote malicious user execute arbitrary PHP code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proof of Concept exploit scripts, php_ical_2.2.1_
local_file_include.php and php-iCalendar-221.upload.php, have been published.

Cross-Site Scripting vulnerabilities have been reported in 'index.php' due to insufficient sanitization of user -supplied input, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

There is no exploit code required; however, Proof of Concept exploits have been published.

A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of the 'set_theme' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

Vulnerability can be exploited with a web browser; however, a Proof of Concept exploit has been published.

SQL injection vulnerabilities have been reported in 'article.php' and 'friend.php' due to insufficient sanitization of the 'sid' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

Vulnerabilities can be exploited through a web client; however, Proof of Concept exploits have been published.

An SQL injection vulnerability has been reported in 'count.php' due to insufficient sanitization of the 'count_fieldname,' 'url_fieldname,' and 'url' parameters before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

A Cross-Site Scripting vulnerability has been reported in 'guestbook.php' due to insufficient sanitization of the 'url' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.

An SQL injection vulnerability has been reported in 'reg.php' due to insufficient sanitization of the 'mail' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.

No workaround or patch available at time of publishing.

Vulnerability can be exploited through a web client; however, a Proof of Concept exploit script, softbb_poc.py, has been published.

A Cross-Site Scripting vulnerability has been reported in the Research Module due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.

A Cross-Site Scripting vulnerability has been reported in 'haydn.exe' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

Vulnerability can be exploited with a web browser; however, a Proof of Concept exploit has been published.

A Cross-Site Scripting vulnerability has been reported in 'Class_DB_MySQL.PHP' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.

No workaround or patch available at time of publishing.

Vulnerability can be exploited using a web client; however, a Proof of Concept exploit has been published.

Mobiles help knowledge workers most: According to a report from the Centre for Economic and Business Research (CEBR), mobile phones increased the productivity of workers by nearly one percent in 2004. According to the report, mobile phones enabled staff to save about 20 minutes per day. However, the research also found that benefits were largely concentrated in the hands of two million mobile knowledge workers. These tend to be professionals who make heavy use of mobiles to keep in touch with customers and colleagues while traveling.

FaceTime identifies new IM botnet threat: A new threat has been identified by research experts at FaceTime Security Labs(TM) that affects instant messaging (IM) applications. Acting on an anonymous tip, they uncovered two "botnet" networks that collectively represent up to 150,000 compromised computers. One is used as a vehicle to fraudulently scan desktop and back-end systems to obtain credit card numbers, bank accounts, and personal information including log-ins and passwords.

Crimeware, Trojan redirector targeting more than 100 banks: Websense® Security Labs™ has received reports of a Trojan Horse that is targeting users of more than 100 financial institutions in the United States and Europe. The malicious code checks to see if there is an active window open (either "my computer" or Internet Explorer). If one of these applications is not open, the malicious code modifies the contents of the hosts file on the local machine with a list of sites all pointing to localhost (127.0.0.1). If either of these applications is open, the malicious code performs a DNS lookup to a DNS server hosted in Russia and receives an address for a website.

Viruses/Trojans

Top Ten Virus Threats

A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.

Rank

Common Name

Type of Code

Trend

Date

Description

1

Netsky-P

Win32 Worm

Stable

March 2004

A mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folder.

2

Zafi-B

Win32 Worm

Stable

June 2004

A mass-mailing worm that spreads via e-mail using several different languages, including English, Hungarian and Russian. When executed, the worm makes two copies of itself in the %System% directory with randomly generated file names.

3

Lovgate.w

Win32 Worm

Stable

April 2004

A mass-mailing worm that propagates via by using MAPI as a reply to messages, by using an internal SMTP, by dropping copies of itself on network shares, and through peer-to-peer networks. Attempts to access all machines in the local area network.

4

Mytob-GH

Win32 Worm

Stable

November 2005

A variant of the mass-mailing worm that disables security related programs and allows other to access the infected system. This version sends itself to email addresses harvested from the system, forging the sender’s address.

5

Netsky-D

Win32 Worm

Stable

March 2004

A simplified variant of the Netsky mass-mailing worm in that it does not contain many of the text strings that were present in NetSky.C and it does not copy itself to shared folders. Netsky.D spreads itself in e-mails as an executable attachment only.

6

Mytob-AS

Win32 Worm

Stable

June 2005

A slight variant of the mass-mailing worm that disables security related programs and processes, redirection various sites, and changing registry values. This version downloads code from the net and utilizes its own email engine.

7

Sober-Z

Win32 Worm

Stable

December 2005

This worm travels as an email attachment, forging the senders address, harvesting addresses from infected machines, and using its own mail engine. It further download code from the internet, installs into the registry, and reduces overall system security.

8

Mytob.C

Win32 Worm

Stable

March 2004

A mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the Windows LSASS (MS04-011) exploit. The worm will attempt to harvest email addresses from the local hard disk by scanning files.

9

Zafi-D

Win32 Worm

Stable

December 2004

A mass-mailing worm that sends itself to email addresses gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door on the compromised computer.

10

Mytob-BE

Win32 Worm

Stable

June 2005

A slight variant of the mass-mailing worm that utilizes an IRC backdoor, LSASS vulnerability, and email to propagate. Harvesting addresses from the Windows address book, disabling antivirus, and modifying data.